118 comments

[ 3.6 ms ] story [ 164 ms ] thread
Well played, anonymous hacker. I even respect your lack of political posturing.

For when this gets fixed, right now techcrunch.com is an empty html page that contains <a href="http://nottherealurl.com/ title="rapidshare downloads">rapidshare downloads</a>

Edit: now it is a blank html page that contains only "hi". Someone from HN rehacked it? Or it's about to be fixed.

It was linking to dupedb .com when I looked a minute ago. Now all I see is text saying hi
Before that, it (automatically redirected?) was some affiliate link. I came page to the tab to see 'this offer is not available in your country'.
Looks like it's switching around depending on what backend their load balancer throws you to. It's jumping around for me, which suggests they don't have any session affinity. Interesting, but I guess it's not required for their kind of app.
site, for their kind of site.
These days, that's a distinction without a difference. All websites that couldn't usefully be delivered as PDFs are applications by definition.
Techcrunch could be delivered as a PDF. I get it on my Kindle.

Just as most new web sites are not startup companies, most existing web sites are not apps.

The distinction and difference is that a software application helps a user perform manipulation or transformation of data as useful work.

Most websites, despite simple interactivity (e.g. search), are still published as "content" for consumption within a content access application, not for manipulating work|play|creative output.

And the comments on the posts are built into a PDF?
Who reads TechCrunch comments? they're worse than youtube, at least youtubers are not self-promoting.
The line between those two words blurs more every day
(comment deleted)
A hack for the sake of hacking - gotta respect.
Either they've been hacked again, or they're really onto it now. The page is now blank with the text: "We'll be back soon."
I saw "We'll be back soon." page once when I submitted comment on one of he article.
(comment deleted)
(comment deleted)
(comment deleted)
I am surprised this news wasn't posted on TechCrunch before... oh wait.
One day too early, if they were going for maximum damage.
Yeah, he/she/they definitely should have done this on Wednesday at 10:00 AM (or whenever the Apple event is) if they were looking to cause any sort of damage.
Who ever is behind this is changing the html page, 4 mintues ago it was <a href="http://dupedb.com/ title="rapidshare downloads">rapidshare downloads</a>. Now the source says "hi". Strange times.
(comment deleted)
Hope they have backups and don't loose data. As much as I hate that their quality has gone down, I hate to see someone's hard work get killed by something like this.
Maybe people will finally stop using the duct-taped spaghetti called "wordpress".
What would you suggest as an alternative?
Jekyll outputing a static HTML blog, with Disqus for comments. I have a rule of no dynamic content on my webserver.

http://jekyllrb.com/

(Yes, my blog is currently hosted at wordpress.com, but I'm evaluating Jekyll as part of the next round of server migrations. I started with wordpress.com years ago when I didn't want to run WP on my own server, but wanted the ease of a blog.)

That's not a bad rule. I've actually been considering using sphinx http://sphinx.pocoo.org/ for my blog reboot. Mostly because I'd like to offer visitors a choice of formats, read bits and pieces on the web or grab the whole thing as a PDF or reasonably priced e-book.
from my experience, wordpress itself is quit solid, most vulnerability are from third party plugins.
I'm not knocking WordPress, I've seen people do amazing things with. But for my needs it's not quite the right fit.
"It's safe because I haven't been hacked yet." Meanwhile, pretty much everyone in the security community running Wordpress on their own sites got hacked via it in 2008-9.
Django CMS has massive momentum behind it right now. I'm still getting started with it so I can't speak properly of the quality yet.
There is no usable blogging software.
redirected me first time to http://www.twply.com/ then it came up next time with "hi"
A page which politely invites you to enter your Twitter user name & pw. [ I politely declined. ]
well this sucks.

but i feel the hack was done today instead of tomorrow to let them know the hackers displeasure on something. but not to really hit them when it matters... (which is tomorrow for apple presentations )

maybe its just a warning perhaps.

I am sure techcrunch is working on this...

wordpress systems are pretty stable but all systems have a loophole.. on many systems, you can't avoid the hacking because it is the human errors (or negligence)

Apple event is Wednesday, not tomorrow.
I always let out a disappointed sigh when I have to remind people of things like this, but tomorrow is Wednesday for a lot of the world.
Yes, I'm aware of that. However, it's not for any of the relevant parties in this story (TC, HN, Apple), and the Apple event is a fixed number of hours away, regardless of what time zone you're in, and that number of hours is sufficient that the event is not "tomorrow". Or I'm up way too late and not thinking clearly :)
More likely it was an automated attack carried out by bots. I'm still putting my money on the recent rash of non-secure FTP exploits (client side).
This was no automated attack. The page was updated with a series of what could only be hand written messages as TC tried to overwrite what the hacker was uploading. At one point the whole page turned to "o_O".
And.... We're back.

Now, how long til we get Arrington's spin?

(comment deleted)
30 mins later, no we're not
Now it's back. Restored. Glad nothing disappeared.
all I'm seeing is "we'll be back shortly" it could be the hacker changing it
(comment deleted)
(comment deleted)
(comment deleted)
(comment deleted)
It has just been hacked again....

The html: <title>LOL HACKED</title>

<center><h1><b>WHAT A FUCKING USELESS HACK ISN'T IT? BLEH.</b></h1></center><br>

<h1><a href="http://dupedb.com/ title="rapidshare downloads">http://dupedb.com/</a></h1><br>;

(comment deleted)
once you're lucky, twice you're good
In my area (Europe) I still see this message. Also no redirection on the dubedb.com link.
now it says, "We'll be back shortly."
(comment deleted)
At one point, the source said <!-- WP Super Cache is installed but broken. The path to wp-cache-phase1.php in wp-content/advanced-cache.php must be fixed! -->
Visitors should be awake that visiting tc.com rightnow is equivalent to visiting an suspicious, untrustred site. It could serve malicious content that takes advantage of unknown vunerabilities even on fully patched systems... although i'd hope the hn audience is savvy enough to know this.
You generally don't wipe out the main page before serving malicious content.
"Visitors should be awake that visiting tc.com rightnow is equivalent to visiting an suspicious, untrustred site"

Surely that's the case every day???

LMFAO

WOW, de-karma'd for that!

Someone needs to find a sense of humor.

Really? Let's call this "cracked," not "hacked" – we're only furthering the misunderstanding by using the incorrect term here, too.
How about hackers everywhere give up on reclaiming this term. It's not going to happen. That way I don't have to see this post on every single story about malicious intrusion that comes up on social news sites.
The difference is that this site is called "Hacker News."
I appreciate that whoever runs the site can call it whatever they like, but I wish they hadn't chosen 'Hacker News'. I know that it's my own prejudices at play here but it's simply embarrassing to have 'Hacker News' staring out from the top of my browser window. It's so ridiculous I can't even bring myself to say it, when I discuss links with a friend who also checks this site the conversation starts with 'did you see that article about X on the, er, the YCombinator news site?'.
Also note that it's possible for a single word to have multiple meanings depending on context, this includes even opposite meanings with opposite connotations. In the context of news.yc.com the term "hacker" generally has a different meaning than the term has elsewhere, especially in the context of unauthorized, malicious intrusion into a computer system.

Similarly a term such as "killer" may have an extremely negative connotation in the context of a grisly homicide yet the same word may have a positive connotation and a completely different meaning (dominant, superlative, desirable) in other connotations. Such is the dynamic, flexible, and adaptive nature of language (outside the realm of the pedant).

Main Entry: hack·er Pronunciation: \ˈha-kər\ Function: noun Date: 14th century

1 : one that hacks 2 : a person who is inexperienced or unskilled at a particular activity <a tennis hacker> 3 : an expert at programming and solving problems with a computer 4 : a person who illegally gains access to and sometimes tampers with information in a computer system

Three out of four possible Merriam-Webster definitions are negative.

Only the 4th one seems negative to me... 1) is neutral (since hack has atleast 1 +ve meaning), is positive and 2) is as similar to inexperienced/unskilled whose connotation is context dependent(imho)
(comment deleted)
This isn't slashdot; I don't think we make the distinction here. Crackers can still be hackers.
I think that ship has sailed, unfortunately. You might as well try to reclaim the word "gay" for happy/cheery.
Could be a widespread WP security hole..
Never attribute to a platform bug what can be explained by misconfiguration.
(comment deleted)
That's very possibly the vector.

If you can place a .php file in the plugins directory located here: http://www.techcrunch.com/plugins/

And then if you call the script as per your example, then it appears that plugin is loaded (and evaluated).

Someone else more versed in PHP might want to cast their eyes over the wordpress plugin to see whether I'm right: http://wordpress.org/extend/plugins/wp-super-cache/

But it appears it's a case of globals not being checked prior to use: http://php.net/manual/en/security.globals.php

So at first glance and with limited info... it's a plugin. Not that this surprises me, I still use vBulletin and I spend a lot of time code-reading the plugins for that before I use them. Mostly to make sure they don't do silly things like have SQL inside a loop over potentially lots of items, but also for the obvious security holes.

register_globals is an old one though, should be disabled: http://drupal.org/node/222343

They had register_globals on? @_@

I hope they go for the radical openness option and do a full public post-mortem. A teachable moment like this should not be wasted.

register_globals was known to be a bad idea in 1999 for crying out loud.

phew I don't feel bad now. I wrote a HTML preprocessor in 1999 to allow PHP-like embedding of Perl in webpages. It did the equivalent of register globals. I still have it up on my website but with a big warning that says "this has known security issues, don't use it". At least someone else made the same mistake around that time :)
How do you come to the conclusion that it was because register_globals was turned on?

There's not even a valid reason to turn that setting on, with legacy not even being an excuse.

I sure hope this isn't the case, but everyone saying 'outage would caused more damage Wed. morning' might get their wish.
Did Apache behind TechCrunch always add "X-Pad=avoid browser bug" header ?

Apparently few Apache 1.x installations use to send this header as part of some fix for few versions Netscape.

Edit: TC seems to acknowledge the hack now. Also, the header X-Pad is missing now.

"Earlier tonight techcrunch.com was compromised by a security exploit.

We're working to identify the exploit and will bring the site back online shortly."